CVE-2025-22226

HighCISA KEVActive Exploitation

Published: 04 March 2025

Published

04 March 2025

Modified

30 October 2025

KEV Added

04 March 2025

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

EPSS Score 0.0432 89.0th percentile

Risk Priority 37 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22226 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Vmware Esxi. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Escape to Host (T1611); ranked in the top 11.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).

Threat & Defense at a Glance

What attackers do: exploitation maps to Escape to Host (T1611) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the out-of-bounds read vulnerability in HGFS by identifying, prioritizing, and applying vendor patches to affected VMware products.

CM-7 Least Functionality partial match

prevent

Prevents exploitation by configuring VMware systems to disable unnecessary HGFS shared folder functionality, limiting exposure to malicious VMs.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Detects the presence of the vulnerable HGFS component in VMware ESXi, Workstation, and Fusion through regular vulnerability scanning.

MITRE ATT&CK Enterprise TechniquesAI

T1611 Escape to Host Privilege Escalation

Adversaries may break out of a container or virtualized environment to gain access to the underlying host.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1212 Exploitation for Credential Access Credential Access

Adversaries may exploit software vulnerabilities in an attempt to collect credentials.

attack.mitre.org →

Why these techniques?

The out-of-bounds read in HGFS allows a VM admin to leak host vmx memory, directly facilitating Escape to Host (T1611), Exploitation for Privilege Escalation (T1068) by crossing VM boundary, and Exploitation for Credential Access (T1212) by exposing sensitive memory data.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

NVD Description

VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability due to an out-of-bounds read in HGFS. A malicious actor with administrative privileges to a virtual machine may be able to exploit this issue to leak memory from the vmx…

process.

Deeper analysisAI

CVE-2025-22226 is an information disclosure vulnerability in VMware ESXi, Workstation, and Fusion, stemming from an out-of-bounds read flaw in the HGFS (Host-Guest File System) component. This issue, classified under CWE-125 (Out-of-bounds Read), carries a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N). It was published on 2025-03-04 and allows potential exposure of sensitive data from the vmx process.

A malicious actor with administrative privileges within a virtual machine can exploit this vulnerability locally. By triggering the out-of-bounds read in HGFS, the attacker can leak memory contents from the host's vmx process, achieving high confidentiality impact across a changed scope without requiring privileges on the host itself, user interaction, or complex conditions.

Mitigation details are outlined in the official Broadcom security advisory at https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390. The vulnerability is also listed in the CISA Known Exploited Vulnerabilities Catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-22226, indicating active exploitation in the wild and urging federal agencies to apply patches promptly.

Details

CWE(s): CWE-125
KEV Date Added: 04 March 2025

Affected Products

vmware

esxi

7.0, 8.0

vmware

cloud foundation

all versions

vmware

fusion

13.0.0 — 13.6.3

vmware

telco cloud infrastructure

2.2, 2.5, 2.7, 3.0

vmware

telco cloud platform

2.0, 2.5, 2.7, 3.0, 4.0

vmware

workstation

17.0 — 17.6.3

CVEs Like This One

CVE-2025-22225Same product: Vmware Cloud Foundationboth on KEV

CVE-2025-22224Same product: Vmware Cloud Foundationboth on KEV

CVE-2026-22719Same product: Vmware Cloud Foundationboth on KEV

CVE-2026-22721Same product: Vmware Cloud Foundation

CVE-2026-22720Same product: Vmware Cloud Foundation

CVE-2025-41244Same product: Vmware Cloud Foundationboth on KEV

CVE-2025-22219Same product: Vmware Cloud Foundation

CVE-2025-24991Shared CWE-125both on KEV

CVE-2026-3055Shared CWE-125both on KEV

CVE-2026-40968Same vendor: Vmware

References

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390
Vendor Advisory · security@vmware.com
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-22226
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0